Result for software not installed

flabbyunit · November 27, 2024, 6:28am

Hello,
I’m running greenbone community v23 with current feeds. I have a few machines in my environment showing false-positives for the following NVTs:
NVT: Microsoft OneDrive Privilege Escalation Vulnerability (Jul 2020)
NVT: Microsoft OneDrive Multiple Vulnerabilities (Sep 2020)

OneDrive is not installed on these machines. I am wondering how might I fix this? Are there vestigial registry entries that the authenticated scan is finding?

Thank you!

flabbyunit · December 4, 2024, 10:28am

Nobody else is familiar with OneDrive results when OneDrive isn’t installed?

Thanks

flabbyunit · February 5, 2025, 9:38pm

crickets

still having this issue, even using freshly built images. any insight would be splendid, thank you.

DeeAnn · February 6, 2025, 11:49am

Hi @flabbyunit, so far it doesn’t look like anyone else has encountered this so I am wondering if the thought in your first post might be on the right track- is there a possibility that OneDrive was ever installed prior on these machines and there could be remaining orphaned references to it?

Edit to add a question after re-reading. Do you mean this is happening when scanning freshly installed system images? If so I would lean towards some sort of artifacts in the system image being deployed.

flabbyunit · February 6, 2025, 5:46pm

Hi DeeAnn, thanks for reaching out!
This was my thought as well; I was hoping I could get someone’s insight as to what checks are associated with those NVTs that return a positive result, like old folder paths or registry entries it’s looking for. I may just have to manually research for onedrive traces on one of these machines and go from there (another thing to add to the growing backlog). I wanted to avoid that if possible if someone knows already.

What would be helpful: Is there any resource I can use to find what a given NVT is doing to return positive results?

Thanks again

rippledj · February 6, 2025, 7:29pm

To troubleshoot this issue, you can find the VT’s OID (Object ID) from it’s page in the scan result. You can use that VT OID to find the NASL VT file by searching for files containing the same OID. The VTs are located in the /var/lib/openvas/plugins directory.

Inspecting the specific VT source code will reveal what the test is looking for on the system to claim a positive finding. If you find some detection issue, you can report it on the OpenVAS GitHub issues tracking page.